August 31, 2024 at 12:06PM
North Korean threat actors exploited a recently patched security flaw in Google Chrome and Chromium web browsers to deploy the FudModule rootkit. Microsoft attributed this activity to a group known as Citrine Sleet, part of the Lazarus Group, targeting financial institutions involved in cryptocurrency. The attack involved a zero-day exploit and social engineering tactics to steal digital assets.
Key takeaways from the meeting notes:
– North Korean threat actors exploited a recently patched security flaw in Google Chrome and other Chromium web browsers to deploy the FudModule rootkit as part of their campaign.
– The threat actor, Citrine Sleet, primarily targets financial institutions and individuals involved in cryptocurrency for financial gain through extensive reconnaissance and social engineering tactics.
– The attack involved setting up fake websites to trick users into installing weaponized cryptocurrency wallets or trading applications to facilitate theft of digital assets.
– The observed zero-day exploit attack involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that allowed remote code execution in the sandboxed Chromium renderer process.
– The attack chain also included the exploitation of CVE-2024-38106, a Windows kernel privilege escalation bug, which occurred after Microsoft released a patch for it, suggesting potential knowledge sharing or independent discovery by threat actors.
– Citrine Sleet has leveraged multiple vulnerabilities this year to drop the FudModule rootkit, highlighting the importance of keeping systems up to date and having security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation.